Koozali.org: home of the SME Server

port forwarding issue

Offline treyh

  • ***
  • 116
  • +0/-0
    • http://www.wilnet1.com
port forwarding issue
« on: June 07, 2006, 05:48:16 AM »
Hello,

I once again come back to the SME community to ask for help because everyone has always been very helpful, just wanted to give you all a quick thank you.

==========
I broke this into 2 parts, simple and complicated, a answer for either way is fine with me.

Simple:
I am port forwarding from my external firewall on port 3389 to the public internface on the SME server, and then from SME i'm port forwarding 3389 to a 2003 server running RDP. IT's not working. Maybe a routing issue getting back from the 2003 server to me?

I do have port forwards working from my firewall to SME directly (like ssh, 80, and 443)

Complicated Question

Network layout:

Internet
--> T1
Cisco Router
  ETH0
    -ip 5.5.5.2
    -subnet 255.255.255.248
    -gateway 5.5.5.1
--> Cat5e
Cisco Pix (does nat for 172.16.2.2)
  Outside INT
     -ip 5.5.5.3
     -subnet 255.255.255.248
     -gateway 5.5.5.2
  Inside INT
     -ip 172.16.2.1
     -subnet 255.255.255.252
--> Cat5e
SME 6.01 Server
  Outside INT
     -ip 172.16.2.2
     -subnet 255.255.255.252
     -gateway 172.16.2.1
  Inside INT
     -ip 172.16.1.5
     -subnet 255.255.0.0
--> Cat5e
Layer 2 Cisco Switch
--> Cat5e
Windows 2003 Server
  ETH0
    -ip 172.16.70.1
    -subnet 255.255.0.0
    -gateway 172.16.1.5

Port Forwarding

Internet
--> T1
Cisco Router
--> Cat5e
Cisco Pix
  STATIC NAT TRANS 5.5.5.4 --> 172.16.2.2 for ports 80, 443, 22, and 3389)
--> Cat5e
SME 6.01 Server
  PORT FORWARD 3389 -> 2003 SERVER (172.16.70.1) PORT 3389
  *The Other ports (80, 443, 22) are used for the sme server*
--> Cat5e
Layer 2 Cisco Switch
--> Cat5e
Windows 2003 Server
  PORT 3389 SERVER (RDP)

The Problem:

3 of the port forwards are directly to the SME server. 1 of the port forwards to the sme server and then is forwarded again to the 2003 server on the internal interface of SME.
*the port forward for 3389 (the one that doesn't work) uses port 3389 across the board*

My Thoughts

I can think of 3 possible solutions to the problem. 1 or all of these might fix it, I wanted somebody's else's opinion 1st.
* Most probable fix.

*1. Probably a routing issue. My request from the internet knows how to travel thru the pix and then to SME and then to the 2003 server, and then it knows how to get back to SME but then it doesn't know how to route back to me.

2. Change the 172.16.2.0/30 thats used between the inside of the pix to the outside of the SME to something like 172.17.2.0/30

3. Add 5.5.5.4 to the trusted network of SME (maybe fix the routing issue I discussed in the * most probably fix
Trey - Network Specialist......

Offline treyh

  • ***
  • 116
  • +0/-0
    • http://www.wilnet1.com
no help
« Reply #1 on: June 08, 2006, 03:42:02 PM »
no help from anyone?
Trey - Network Specialist......

Offline kruhm

  • *
  • 680
  • +0/-0
port forwarding issue
« Reply #2 on: June 11, 2006, 10:14:38 PM »
Both sides of your sme are on the same class B private ip network -172.16.X.X

I don't think you can do this. Doesn't work for the firewall. You'll have to change the inside to something else.

Offline treyh

  • ***
  • 116
  • +0/-0
    • http://www.wilnet1.com
a step ahead of you
« Reply #3 on: June 12, 2006, 03:34:13 AM »
Hey,

thanks for your response.

the other day I switched the /30 between the pix and SME to 172.17.2.0

Same Problem.

Any Other Ideas?
Trey - Network Specialist......

Offline kruhm

  • *
  • 680
  • +0/-0
port forwarding issue
« Reply #4 on: June 12, 2006, 12:44:07 PM »
hmmmm... I would have thought that would have done the trick. I have more than 10 rdp's running through 1 server so I know it works, ok.

You'll have to troubleshoot this.

-make sure you can connect to the rdp locally to rule out any win problems/firewalls.
-double-check to make sure the ip address of the win2003 is correct now that you changed the internal network.
-double-check the port-forward is going to the correct place.
-if you have some downtime, take a laptop through each level. work backwards. locally. directly outside of sme.

Offline treyh

  • ***
  • 116
  • +0/-0
    • http://www.wilnet1.com
update
« Reply #5 on: June 12, 2006, 03:18:52 PM »
Good Morning,

Yes I know SME should work, but something is still off.

RDP works locally
I triple checked to verify the IP was correct
* same as before
works directly on the outside of SME

I still feel that somehow when the request arrives at the 2003 server, it makes it back to the SME but doesn't know how to travel back thru the pix
Trey - Network Specialist......

Offline mmccarn

  • *
  • 2,626
  • +10/-0
port forwarding issue
« Reply #6 on: June 13, 2006, 05:36:33 AM »
If it works from the WAN subnet of the SME box it seems the problem must be in the PIX --

Can you move the 2003 box (or put a WinXP box w/ RDP enabled) between the PIX & the SME, then test from outside the PIX to test the PIX part of the system?

Offline treyh

  • ***
  • 116
  • +0/-0
    • http://www.wilnet1.com
resolution
« Reply #7 on: June 13, 2006, 03:36:42 PM »
Hello,

the pix is not the problem. If I plus that 2003 server directly into the inside int then I can RDP from the outside. And of course it's not SME because i can do the same.

The problem has got to be between the pix and SME.

I scheduled last week for me to be there to plus the pix and SME into a switch.

The pix will be the new gateway but will only allow the server 2003's ips to access port 80. Of course it will allow SME also but not any of the pc's. This way they have to use SME as their proxy or they go no where  :hammer:

I had hopped that I could have resolved the issue but either way is fine with me.
Trey - Network Specialist......